Console Commands Reference

This page provides a comprehensive reference for all built-in RTFMv2 console commands.

Command Syntax

All commands follow this general syntax:

<command> [arguments] [--options]

To get help for any command:

<command> -h

---

Session Management Commands

new - Create New Session

Creates a new penetration testing session with specified target and configuration.

Syntax:

new --name <session-name> --host <target> --pass <password>

Options: - --name: Session identifier (required) - --host: Target IP address, IP range (CIDR), or domain (required) - --pass: Password for encrypting session database (required)

Behavior: - All three parameters are required - Session name and host can contain quotes, which are automatically stripped - Creates a new session in SessionManager with encrypted database - Session becomes the active current session - Session ID is generated in format: <name>-<unique-id>

Supported Host Formats: - Single IP: 192.168.1.50 - IP Range (CIDR): 10.0.0.0/24, 192.168.1.0/16 - Domain: example.com, target.local - Hostname: webserver, database.internal

Examples:

# Single host
new --name "WebApp1" --host "192.168.1.50" --pass "SecurePass"

# IP range (subnet)
new --name "NetworkScan" --host "10.0.0.0/24" --pass "SecurePass"

# Domain
new --name "DomainTest" --host "example.com" --pass "SecurePass"

# With quotes (automatically stripped)
new --name "Corporate PenTest" --host "192.168.1.0/24" --pass "SecurePass"

# Larger network
new --name "Enterprise" --host "172.16.0.0/12" --pass "SecurePass"

Output:

Creating session: WebApp1, Host: 192.168.1.50
Session created.

Return Value: - Returns the created session ID in format: <name>-<id> - Session becomes active and is accessible via SessionManager.CurrentSession

---

load - Load Existing Session

Loads a previously saved session from disk.

Syntax:

load --dir <session-directory> [--pass <password>]

Options: - --dir: Path to session directory containing session.rtfm2 file (required) - --pass: Password for decrypting session database (optional in interactive mode)

Behavior: - The command automatically appends /session.rtfm2 to the directory path - If --pass is not provided in interactive mode, you will be prompted to enter the password securely - In Node-RED or automated mode, --pass must be provided as a parameter - The directory path can be absolute or relative - Quotes in the path are automatically stripped

Examples:

# Interactive mode - will prompt for password
load --dir "./PenTest2024"

# With password specified (Node-RED/automation)
load --dir "./PenTest2024" --pass "SecurePass"

# Windows path
load --dir "C:\Sessions\WebApp1" --pass "SecurePass"

# Relative path
load --dir ../sessions/project1 --pass "SecurePass"

File Structure: The session directory should contain:

PenTest2024/
├── session.rtfm2    # Main session file (automatically loaded)
└── ...              # Other session data

---

save - Save Current Session

Saves the current session to disk. Only available in interactive mode.

Syntax:

save <session-directory> [--pass <password>]

Options: - sessionFilePath: Path where session will be saved (positional argument, required) - --pass: Password for encrypting session database (optional)

Behavior: - Interactive mode only (InteractiveOnly = true) - If --pass is not provided, you will be prompted to enter the password securely - Path can be absolute or relative - Quotes in the path are automatically stripped - Must have an active session loaded to save - Session database is encrypted with the provided password

Important Notes: - Ensure the database is not locked before saving - The save operation uses SessionManager.LoadSession() internally - Directory will be created if it doesn't exist - Existing session files at the path may be overwritten

Examples:

# Save with password prompt
save ./MySession

# Save with password specified
save ./MySession --pass "SecurePass"

# Save to absolute path
save "C:\Sessions\Backup" --pass "NewPassword"

# Save to parent directory
save ../backup/session1 --pass "SecurePass"

Example Output:

Saving session from: ./MySession
Session saved.

Error Handling:

# No session loaded
Error saving session, make sure the DB is not locked.

# Database locked
Error saving session, make sure the DB is not locked.

# Other errors
Error: [specific error message]

Note: This command is only available in interactive mode.

---

Information Commands

help - Display Help Information

Shows available commands and usage information.

Syntax:

help [--showbanner]

Options: - --showbanner: Display the main menu banner

Examples:

help                # List all commands
help --showbanner   # Show banner and commands

---

list - List Available Features

Display information about commands, sessions, plugins, and more.

Syntax:

list [options]

Options: - --commands: List all built-in commands grouped by category (Enumeration, Exploitation, Post-Exploitation, Reconnaissance, Dynamic) - --session: Print current session settings and statistics - --plugins: Print loaded plugins and their commands - --templates: Print loaded template attacks - --connections: Print active WebSocket server connections - --lua: List loaded Lua scripts and custom commands

Detailed Option Behavior:

list --commands Shows all available framework commands organized by category with title and command preview:

Enumeration:
  nmap_scan          nmap -sV -sC {target}
  dir_brute          dirb http://{target}
  ...

list --session Displays current session information including: - Session ID - RTFM Server URL - Description - Host range - Wordlist path - Hosts UP (with service counts) - Hosts DOWN

Example output:

Settings:
  Session ID: pentest-abc123
  RTFM Server URL: http://localhost:5000
  Description: Corporate pentest
  Host Range: 192.168.1.0/24
  Wordlist: /usr/share/wordlists/rockyou.txt

Hosts (UP): 5
  192.168.1.10    (Services found: 3)
  192.168.1.50    (Services found: 7)
  ...
Hosts (DOWN): 249

list --plugins Shows loaded plugins and their registered commands:

PluginName.dll
Loaded Plugin Commands:
  Command: custom-scan - Custom scanning functionality
  Command: report-gen - Generate custom reports

list --templates Lists all available template attacks:

Loaded Templates:
  sqlmap
  nikto
  dirb_scan
  metasploit_exploit

list --connections Displays active WebSocket connections with details:

Active Remote Connections:
User ID: alice    Session ID: pentest-123    Started: 2024-11-14 10:30:00Z    IP: 192.168.1.50
User ID: bob      Session ID: pentest-123    Started: 2024-11-14 10:32:15Z    IP: 192.168.1.51

list --lua Shows loaded Lua scripts and their registered commands:

Loaded Lua Scripts:
notes.lua:
 - note
 - finding
 - show-notes
recon-helper.lua:
 - quick-scan --target
 - extract-info

Examples:

list --commands     # Show all available commands by category
list --session      # Display current session info and host statistics
list --plugins      # Show loaded plugins
list --templates    # Show template attacks
list --connections  # Show active WebSocket connections
list --lua          # Show Lua scripts and custom commands
list                # Show help for list command (if no options provided)

---

hostinfo - Host Information

Retrieve detailed information about a specific host from the current session, including all discovered services.

Syntax:

hostinfo --host <ip-or-hostname>

Options: - --host: IP address or hostname (required)

Requirements: - Must have an active session loaded - Host must exist in the current session's hosts list

Output: Displays all services discovered on the host, sorted by port number, including: - Port number - Protocol - Service name - Service details

Examples:

hostinfo --host 192.168.1.10
hostinfo --host webserver.local

Example Output:

Services: 3
22/tcp - ssh - OpenSSH 8.2p1
80/tcp - http - Apache httpd 2.4.41
443/tcp - https - Apache httpd 2.4.41 (SSL)

Note: This command is only available in interactive mode and requires a loaded session.

---

Execution Commands

run - Execute Commands

Execute RTFM framework commands or custom shell commands.

Syntax:

run --command <rtfm-command>
run --custom <shell-command>

Options: - --command: RTFM framework command to execute - --custom: Custom shell command to execute from OS

Examples:

# Run RTFM framework command
run --command "nmap_scan"

# Run custom shell command
run --custom "ls -la"
run --custom "nmap -sV 192.168.1.1"

---

RunScript - Execute Script File

Execute a custom automation script file (.rtfm2) containing multiple RTFMv2 commands to be run sequentially.

Syntax:

RunScript --filePath <path-to-script>

Options: - --filePath: Path to automation script file (required)

Script File Format: - Plain text file with .rtfm2 extension - One command per line - Each line is executed as a complete RTFMv2 command - Empty lines and whitespace-only lines are skipped - Commands are executed sequentially in order - Each command is parsed and executed via the root command handler

How It Works: 1. Validates the file path is provided 2. Checks if the file exists 3. Reads all lines from the file using File.ReadAllLines() 4. For each non-empty line: - Prints "Executing: [command]" - Splits the line into arguments by whitespace - Executes via _rootCommand.InvokeAsync() 5. Continues until all commands are executed

Script Execution: - Commands run sequentially (not parallel) - Each command waits for the previous to complete - Asynchronous execution using async/await - Command failures don't stop script execution - All output is displayed in real-time

Supported Commands: Any RTFMv2 console command can be used in scripts: - Session commands: new, load, save - Information commands: list, hostinfo - Execution commands: run, shell, template - Integration commands: server, plugins, file - Lua commands (if registered)

Example Script File:

TestAutomation.rtfm2:

new --name "AutoTest" --host "192.168.1.0/24" --pass "SecurePass"
list --session
run --custom "nmap -sV 192.168.1.1"
template nikto --ip 192.168.1.1 --port 80
hostinfo --host 192.168.1.1
save ./AutoTest_Results --pass "SecurePass"

recon.rtfm2:

run --custom "nmap -sn 192.168.1.0/24"
run --custom "nmap -sV -sC 192.168.1.1"
run --custom "nikto -h 192.168.1.1"
run --custom "dirb http://192.168.1.1"

workflow.rtfm2:

list --plugins
plugins load --dir ./CustomPlugins
list --lua
server --start --port 5001
list --connections

Examples:

Basic Usage:

# Execute automation script
RunScript --filePath ./automation.rtfm2

# Execute from absolute path
RunScript --filePath "C:\Scripts\recon.rtfm2"

# Execute test automation
RunScript --filePath ./TestAutomation.rtfm2

Workflow Example:

>> RunScript --filePath ./TestAutomation.rtfm2
Loading automation file: ./TestAutomation.rtfm2
Executing: new --name "AutoTest" --host "192.168.1.0/24" --pass "SecurePass"
Creating session: AutoTest, Host: 192.168.1.0/24
Session created.
Executing: list --session
Settings:
  Session ID: AutoTest-abc123
  ...
Executing: run --custom "nmap -sV 192.168.1.1"
[nmap output...]
Executing: template nikto --ip 192.168.1.1 --port 80
Target set: 192.168.1.1
[nikto output...]
Executing: hostinfo --host 192.168.1.1
Services: 5
...
Executing: save ./AutoTest_Results --pass "SecurePass"
Session saved.

Error Handling:

No File Path Provided:

Need to specify automation file.

File Not Found:

Could not find file: ./nonexistent.rtfm2

File Read Error:

[Exception message from file system]

Creating a Script File:

Windows:

# Create script file
@"
new --name "WebTest" --host "10.0.0.1" --pass "pass123"
list --session
run --custom "nmap -sV 10.0.0.1"
save ./WebTest --pass "pass123"
"@ | Out-File -FilePath automation.rtfm2 -Encoding ASCII

Linux/macOS:

# Create script file
cat > automation.rtfm2 << 'EOF'
new --name "WebTest" --host "10.0.0.1" --pass "pass123"
list --session
run --custom "nmap -sV 10.0.0.1"
save ./WebTest --pass "pass123"
EOF

Best Practices:

1. Use Comments (Workaround):
2. Script format doesn't support comments
3. Use empty lines for readability

4. Keep commands on separate lines

5. Error Handling:

6. Scripts continue even if a command fails
7. Monitor output for errors

8. Test scripts with small datasets first

9. Password Security:

10. Avoid hardcoding passwords in script files
11. Consider using environment variables (not directly supported)

12. Secure script files with appropriate permissions

13. Path Handling:

14. Use absolute paths for reliability
15. Be cautious with relative paths in scripts

16. Ensure file paths exist before running

17. Command Ordering:

18. Create/load session before commands that require it
19. Save session at the end of the script
20. List available resources before using them

Use Cases:

• Automated Reconnaissance: Sequential scanning and enumeration
• Batch Processing: Run same commands against multiple targets
• Testing: Automated testing of RTFMv2 functionality
• Workflows: Standardized penetration testing procedures
• CI/CD Integration: Automated security testing pipelines
• Training: Reproducible demonstrations and exercises

Limitations:

• No conditional logic (if/else)
• No loops or variables
• No inline comments
• Commands execute sequentially (no parallelization)
• No script-level error handling or try/catch
• For advanced automation, use Lua scripting or Node-RED

Advanced Automation:

For complex workflows with logic, consider: - Lua Scripting: Full programming capabilities with RTFMv2 API - Node-RED: Visual workflow automation with conditions and loops - External Scripts: Call RunScript from PowerShell/Bash scripts for variables and logic

---

shell - OS Shell Access

Enter an interactive operating system shell or execute single shell commands with persistent working directory state.

Syntax:

shell [--shell <shell-type>] [--cmd <command>] [--session-id <id>]

Options: - --shell: Shell type - cmd, powershell (or pwsh), bash, sh (optional) - --cmd: Execute single shell command (for remote/WebSocket mode) (optional) - --session-id: Session identifier for maintaining shell state across calls (optional)

Operating Modes:

1. Interactive Mode (no options) - Enters a full interactive shell loop - Working directory persists across commands - Colored prompt shows current directory - Special handling for cd command - Type exit, quit, or back to return to RTFM

2. Single Command Mode (--cmd provided) - Executes a single command and returns - Used for remote/WebSocket command execution - Working directory state is maintained via --session-id - Supports cd command to change persistent directory

3. Remote Shell Initialization (--session-id without --cmd) - Initializes remote shell state - Returns startup message with current directory - Used by WebSocket clients to start shell session

Session State Management: - Uses ShellStateManager to track working directory per session ID - Session ID priority: provided --session-id > current session > new GUID - cd commands update the session's working directory - State persists across multiple shell command executions - State is removed when exit is called

Supported Shell Types:

Shell Type	Command	Platform	Notes
cmd	cmd.exe /c	Windows	Windows Command Prompt
powershell / pwsh	powershell.exe -Command	Windows	Windows PowerShell
bash	/bin/bash -c	Linux/macOS	Bourne Again Shell
sh	/bin/sh -c	Linux/macOS	POSIX Shell

Auto-Detection: - Windows: Defaults to cmd.exe - Linux/macOS: Defaults to /bin/bash - Fallback: sh

Special Commands:

cd Command: - Handled specially to maintain working directory state - Supports absolute and relative paths - Supports special paths: ~ (home), %USERPROFILE% (Windows) - cd alone shows current directory - Quotes are automatically stripped from paths - Directory changes persist across command executions

exit / quit / back: - Exits interactive shell mode - Returns to RTFM console - Removes shell state from ShellStateManager

Command Execution: - Commands run in the persistent working directory - 5-minute timeout per command - Both stdout and stderr are captured and displayed - Commands with quotes are properly escaped - Asynchronous output streaming for real-time display

Examples:

Interactive Shell:

# Enter interactive shell (auto-detect)
>> shell
Entering CMD shell mode. Type 'exit' to return to RTFM.
Current directory: C:\Users\username

[SHELL] C:\Users\username> cd Documents
[SHELL] C:\Users\username\Documents> dir
[SHELL] C:\Users\username\Documents> cd ..
[SHELL] C:\Users\username> exit

Exited shell mode.

Specific Shell Type:

# Use PowerShell
>> shell --shell powershell
Entering PowerShell shell mode. Type 'exit' to return to RTFM.
Current directory: C:\Users\username

[SHELL] C:\Users\username> Get-ChildItem
[SHELL] C:\Users\username> exit

# Use Bash (Linux/macOS)
>> shell --shell bash
Entering Bash shell mode. Type 'exit' to return to RTFM.
Current directory: /home/username

[SHELL] /home/username> ls -la
[SHELL] /home/username> cd /var/log
[SHELL] /var/log> pwd
/var/log
[SHELL] /var/log> exit

Remote/WebSocket Single Command:

# Execute single command with session tracking
shell --cmd "ls -la" --session-id "pentest-123"

# Change directory remotely
shell --cmd "cd /tmp" --session-id "pentest-123"

# Subsequent command uses new directory
shell --cmd "pwd" --session-id "pentest-123"
# Output: /tmp

# Exit remote shell
shell --cmd "exit" --session-id "pentest-123"

Special Path Examples:

# Home directory (Linux/macOS)
[SHELL] /var/log> cd ~
[SHELL] /home/username>

# User profile (Windows)
[SHELL] C:\Windows> cd %USERPROFILE%
[SHELL] C:\Users\username>

# Relative paths
[SHELL] C:\Users\username> cd Documents\Projects
[SHELL] C:\Users\username\Documents\Projects>

# Parent directory
[SHELL] C:\Users\username\Documents> cd ..
[SHELL] C:\Users\username>

Error Handling:

# Unknown shell type
>> shell --shell zsh
Unknown shell type: zsh
Available types: cmd, powershell, bash, sh

# Directory not found
[SHELL] /home/user> cd /nonexistent
Directory not found: /nonexistent

# Command timeout (5 minutes)
[SHELL] C:\> very-long-running-command
Command timed out (5 minutes). Killing process...

Colored Prompt: - [SHELL] in yellow - Working directory in cyan - > prompt in white

Technical Details: - Uses Process class with ProcessStartInfo - Redirects stdout and stderr - Asynchronous output reading with event handlers - 5-minute (300,000 ms) timeout per command - Working directory set via ProcessStartInfo.WorkingDirectory - Quote escaping for command arguments - Platform detection via RuntimeInformation

---

template - Execute Template Attacks

Execute predefined template-based attacks against targets in the current session.

Syntax:

template <attack-name> --ip <target-ip> [--hostname <hostname>] [--port <port>]

Arguments: - attack: Template attack name (positional argument, required)

Options: - --ip: Target IP address (required, unless --hostname is provided) - --hostname: Target hostname (required, unless --ip is provided) - --port: Target port (optional, defaults to 0 if not specified)

Requirements: - Must have an active session loaded (SessionManager.CurrentSession) - Target host must exist in the current session's host list - Template attack must be loaded in TemplateManager

How It Works: 1. Validates that a session is loaded 2. Determines target from --ip or --hostname (one is required) 3. Searches for the host in the current session's host list (by IP or hostname) 4. Locates the template attack by name in TemplateManager.Instance.Templates 5. Executes template.Run(host, port, OutputHandler) 6. Streams output in real-time to the console

Target Resolution: - Priority: --ip is used if provided, otherwise --hostname - Host lookup is case-insensitive for hostnames - Host must match either the IP or hostname in the session

Port Handling: - Optional parameter - If provided, parsed as integer - If parsing fails, defaults to 0 - Passed to the template's Run() method

Examples:

Basic Usage:

# Execute sqlmap template against IP with specific port
template sqlmap --ip 192.168.1.10 --port 80

# Execute nikto template with both IP and hostname
template nikto --ip 192.168.1.50 --hostname webapp.local

# Execute template using only hostname
template dirb --hostname webapp.local --port 8080

# Execute without port (defaults to 0)
template nmap_vuln --ip 10.0.0.5

Workflow Example:

# 1. Create or load session
new --name "WebTest" --host "192.168.1.0/24" --pass "SecurePass"

# 2. List available templates
list --templates
# Output:
# Loaded Templates:
#   sqlmap
#   nikto
#   dirb_scan
#   metasploit_exploit

# 3. Execute template attack
template nikto --ip 192.168.1.10 --port 80
# Output:
# Target set: 192.168.1.10
# Host found in session range.
# Template attack found: nikto executing...
# [Attack output streams here...]

Error Handling:

No Session Loaded:

Loaded session required.

No Target Specified:

IP or hostname is required.

Host Not in Session:

Unable to find host for attack: 192.168.1.10

Solution: Ensure the target is within the session's host range

Template Not Found:

Unable to find template attack: invalidtemplate

Solution: Use list --templates to see available templates

Example Output:

>> template nikto --ip 192.168.1.10 --port 80
Target set: 192.168.1.10
Host found in session range.
Template attack found: nikto executing...
- Nikto v2.1.6
- Target IP: 192.168.1.10
- Target Port: 80
- Testing...
[Real-time attack output...]

List Available Templates:

list --templates

Template Management: - Templates are loaded from TemplateManager.Instance - Template names are case-insensitive - Each template implements custom attack logic - Output is handled via DataReceivedEventArgs callback

---

Integration Commands

server - WebSocket Server Management

Start or stop the WebSocket server for remote client connections.

Syntax:

server --start [--port <port>]
server --stop

Options: - --start: Start WebSocket server - --stop: Stop WebSocket server - --port: Port number (default: 5001)

Examples:

server --start              # Start on default port 5001
server --start --port 8080  # Start on custom port
server --stop               # Stop server

Check Active Connections:

list --connections

Note: This command is only available in interactive mode.

---

plugins - Plugin Management

Load plugins from a specified directory to extend console functionality.

Syntax:

plugins load --dir <plugin-directory>

Options: - load: Load plugins from directory (required with --dir) - --dir: Directory path containing plugin DLL files (required)

How It Works: 1. Scans the specified directory for .dll files 2. Loads each DLL assembly using reflection 3. Searches for classes that extend OptionsBase 4. Creates instances of plugin command classes 5. Registers plugin commands with the root command 6. Makes plugin commands available in the console

Plugin Requirements: - Must be compiled as .NET DLL files - Must contain classes that extend RTFMv2.Core.CLI.OptionsBase - Plugin classes must not be abstract - Plugin classes must have a parameterless constructor

Behavior: - Quotes in directory path are automatically stripped - Directory must exist or command fails - Directory must contain at least one .dll file - Each successfully loaded command is registered and immediately available - Failed plugins are logged but don't stop loading of other plugins - Plugins are added to PluginLoader.LoadedPlugings list - Plugin commands are added to PluginLoader.PluginCommands list

Examples:

# Load plugins from relative path
plugins load --dir ./Plugins

# Load from absolute path
plugins load --dir "C:\RTFMv2\CustomPlugins"

# Load from subdirectory
plugins load --dir ./Extensions/MyPlugins

Example Output:

Successfully loaded and registered command: custom-scan
Successfully loaded and registered command: report-gen
Successfully loaded and registered command: data-export

Error Handling:

# Directory not found
Directory not found: ./NonExistent

# No DLLs in directory
No DLLs found in directory: ./Empty

# Failed to load specific plugin
Failed to load plugin from MyPlugin.dll: Could not load file or assembly

List Loaded Plugins:

list --plugins

Plugin Development: To create a custom plugin, extend OptionsBase:

public class MyCustomCommand : OptionsBase
{
    public MyCustomCommand()
    {
        _command = new Command("mycmd", "My custom command");
        InteractiveOnly = false;
    }

    protected override bool ExecuteCommandCore(ParseResult parseResult)
    {
        Console.WriteNormal("Custom command executed!");
        return true;
    }
}

---

file - File Transfer

Transfer files from the server's LootDir to connected clients.

Syntax:

file --copy <filename>

Options: - --copy: Copy file from server's LootDir to client

Example:

file --copy loot.txt
file --copy "passwords_found.txt"

---

Command Availability

Some commands are restricted to specific modes:

Command	Argument Mode	Interactive Mode	Node-RED Mode
help	✓	✓	✓
list	✓	✓	✓
new	✓	✓	✓
load	✓	✓	✓
save	✗	✓	✓
run	✓	✓	✓
RunScript	✓	✓	✓
shell	✓	✓	✓
template	✓	✓	✓
server	✗	✓	✓
plugins	✓	✓	✓
file	✓	✓	✓
hostinfo	✗	✓	✓

---

Common Workflows

Basic Penetration Testing Workflow

# 1. Create session
new --name "Target1" --host "192.168.1.100" --pass "SecurePass"

# 2. Run reconnaissance
run --custom "nmap -sV -sC 192.168.1.100"

# 3. Execute template attack
template nikto --ip 192.168.1.100

# 4. Save session
save ./Target1_Session --pass "SecurePass"

Loading and Continuing Previous Work

# Load existing session
load --dir ./Target1_Session --pass "SecurePass"

# Check session info
list --session

# Continue testing
shell

Using Lua Custom Commands

# List available Lua commands
list --lua

# Execute Lua-registered command
quick-scan --target 192.168.1.0/24

---

Next Steps

• Learn about Lua Scripting to create custom commands
• Explore Node-RED Integration for visual automation
• Return to Console Overview